4 types of employees who put your cybersecurity at risk, and 10 things you can do to stop them

You’ve probably heard of Edward Snowden, the former National Security Agency contractor accused of leaking top-secret information about government surveillance programs to the news media, and Bradley Manning, the former Army intelligence analyst convicted of leaking reams of classified material about the war in Iraq to WikiLeaks.

But have you heard about the four stolen laptops containing personal information on more than 4 million patients of an Illinois health care provider? The employee at a Boston law firm who lost a USB drive containing medical information on 160 clients in a medical malpractice case on a bus? The CBS Morning News segment on Super Bowl security that inadvertently broadcast the security center’s SSID and password to the world?

Those were just some of the more obscure examples of recent data breaches cited during an ABA Techshow presentation Friday entitled “War Stories of Staff Use of Unapproved Data Services & Devices.” Co-presenters John Jelderks, director of information technology at the Chicago firm Barack Ferrazzano Kirschbaum & Nagelberg, and David G. Ries, an environmental litigator and technology lawyer at Clark Hill Thorp Reed in Pittsburgh, talked about the insider threat posed to workplaces by rogue employees, and made a few suggestions as to what law firms can and should be doing to address it.

The insider threat to workplace security is a serious–and growing–problem, Jelderks and Ries said. They cited the results of a recent survey showing that 41 percent of IT security professionals regard “rogue” employees as the biggest security threat to their organizations. They also cited the 2013 U.S. State of Cybercrime Survey, in which 53 percent of the participants reported having experienced an “internal incident.”

There are four types of employees who put the workplace at risk, according to the pair:

• The security softie, who knows very little about security and poses a threat by using their work computer at home or letting family members use it.

• The gadget geek, who comes to work armed with a variety of devices that get plugged into their PC.

• The squatter, who use company IT resources in ways they shouldn’t.

• The saboteur, who will hack into areas to which they don’t have access or infect the network on purpose.

“I can’t tell you how many times I’ve had an attorney call me and say, ‘I’ve lost my device. Can you disable it?’ ” he said.

Too often, though, he says, the call comes long after the device has been lost and the data on it could already have been compromised.

Ries stressed the importance of encrypting the data stored on any laptop, smart phone or mobile device. “I can’t stress enough how critical that is,” he said. “All portable devices should be encrypted.”

In closing, both men offered their top five tips for mitigating insider threats.

Jelderks’ advice:

1.) Set up a communications and training program so employees know all of the do’s and don’ts when it comes to technology.

2.) Make sure the IT staff keeps all systems up to date.

3.) Have a security assessment performed by an outside vendor.

4.) Encrypt all data.

5.) Insist that employees regularly change their passwords.

Ries’ advice:

1.) Have a comprehensive information security program in place.

2.) Practice constant security awareness.

3.) Offer ongoing security training to employees.

4.) Implement limited-access and least-privilege policies.

5.) Make sure that all information placed in the hands of third parties is secured.

“That’s a big part of the insider threat that’s often neglected or overlooked,” Ries said.